Explore a relatively unexplored class of vulnerabilities in Electron-based applications that can turn cross-site scripting (XSS) into remote code execution (RCE) in this Black Hat conference presentation. Delve into the anatomy of Electron apps, focusing on the BrowserWindow preload feature and its potential security implications. Examine the lifecycle, context isolation, and how Electron differs from traditional browsers. Follow along with a full chain exploit demonstration, including XSS and nodeIntegration bypasses. Learn about secure-by-default settings, Chromium upgrades, and survey results on Electron security. Investigate the preload attack surface, exploring case studies involving popular applications like Wire and Discord. Understand the risks associated with Node's Buffer, IPC mechanisms, and prototype pollution in the preload context. Gain insights into sandboxing, native capabilities, and developer responsibilities when building Electron apps. Discover techniques for making preload work with context isolation and walk away with valuable knowledge on securing Electron-based applications against these emerging threats.
Overview
Syllabus
Intro
Anatomy of Electron-based Apps
Lifecycle
ContextIsolation 1/2
Electron is NOT a browser
From Browser to Electron - Attack Surface
From Browser to Electron- Isolation
Full chain exploit (Step 1)
Cross-Site Scripting
Full chain exploit (Step 2)
nodelntegration bypasses
Affected Configs
Exploits
Secure-by-Default Settings (v5)
Chromium Upgrades
Survey Results
preload - A neglected attack surface
Node's Buffer
Case Study - Wire App 1/3
Case Study - Discord 3/3
IpcMain and ipcRenderer 1/2
Leveraging the Internal Electron IPC
Case Study - (Again) Discord 3/3
Sandboxing 2/2
Native Capabilities, and Your Responsibility
Prototype Pollution - Preload
Case Study - Undisclosed 2/3
Prototype Pollution - Electron
Making Preload works with ContextIsolation
Black Hat Sound Bytes 2/3
Taught by
Black Hat
